- bt scanner reports in mail.log
- Posted by John Freeman on March 20th, 2006
Does anyone recognise these hits? I'm getting them every day:
Mar 20 10:56:27 localhost sendmail[1190]: k2KAuRRe001190:
ruleset=check_rcpt, arg1=scanner.reports@bt.com,
relay=host213-1-119-186.imsnet3.btopenworld.com [213.1.119.186],
reject=550 5.7.1 scanner.reports@bt.com... Relaying denied
Mar 20 10:56:27 localhost sendmail[1190]: k2KAuRRe001190:
from=scanner.reports@btinternet.com, size=0, class=0, nrcpts=0,
proto=SMTP, daemon=MTA, relay=host213-1-119-186.imsnet3.btopenworld.com
[213.1.119.186]
Mar 20 10:56:27 localhost sendmail[1190]: k2KAuRRf001190:
ruleset=check_mail, arg1=scanner.reports,
relay=host213-1-119-186.imsnet3.btopenworld.com [213.1.119.186],
reject=553 5.5.4 scanner.reports... Domain name required for sender
address scanner.reports
Mar 20 10:56:27 localhost sendmail[1190]: k2KAuRRf001190:
from=scanner.reports, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA,
relay=host213-1-119-186.imsnet3.btopenworld.com [213.1.119.186]
Mar 20 10:56:27 localhost sendmail[1190]: k2KAuRRg001190:
ruleset=check_mail, arg1=scanner.reports@[mydomain],
relay=host213-1-119-186.imsnet3.btopenworld.com [213.1.119.186],
reject=553 5.1.8 scanner.reports@[mydomain]... Domain of sender address
scanner.reports@[mydomain] does not exist
Mar 20 10:56:27 localhost sendmail[1190]: k2KAuRRg001190:
from=scanner.reports@[mydomain], size=0, class=0, nrcpts=0, proto=SMTP,
daemon=MTA, relay=host213-1-119-186.imsnet3.btopenworld.com [213.1.119.186]
Mar 20 10:56:28 localhost sendmail[1190]: k2KAuRRh001190:
ruleset=check_rcpt, arg1=scanner.reports@bt.com,
relay=host213-1-119-186.imsnet3.btopenworld.com [213.1.119.186],
reject=550 5.7.1 scanner.reports@bt.com... Relaying denied
Mar 20 10:56:28 localhost sendmail[1190]: k2KAuRRh001190:
from=scanner.reports@[[mydomain]], size=0, class=0, nrcpts=0,
proto=SMTP, daemon=MTA, relay=host213-1-119-186.imsnet3.btopenworld.com
[213.1.119.186]
Mar 20 10:56:28 localhost sendmail[1190]: k2KAuRRi001190:
ruleset=check_mail, arg1=postmaster,
relay=host213-1-119-186.imsnet3.btopenworld.com [213.1.119.186],
reject=553 5.5.4 postmaster... Domain name required for sender address
postmaster
Mar 20 10:56:28 localhost sendmail[1190]: k2KAuRRi001190:
from=postmaster, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA,
relay=host213-1-119-186.imsnet3.btopenworld.com [213.1.119.186]
Mar 20 10:56:28 localhost sendmail[1190]: k2KAuRRj001190:
ruleset=check_rcpt, arg1=scanner.reports@bt.com,
relay=host213-1-119-186.imsnet3.btopenworld.com [213.1.119.186],
reject=550 5.7.1 scanner.reports@bt.com... Relaying denied
Mar 20 10:56:28 localhost sendmail[1190]: k2KAuRRj001190: from=<>,
size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA,
relay=host213-1-119-186.imsnet3.btopenworld.com [213.1.119.186]
I've written to scanner.reports@bt.com and if they respond I'll post it,
if no-one else can enlighten me.
Cheers
- Posted by Jerry Stuckle on March 20th, 2006
John Freeman wrote:
I think I can help with a few of these:
Someone tried to use your MTA to relay mail to another domain. This was
refused by your MTA, as it should have been.
Informational message
Reject the message. The sender's domain doesn't exist.
Informational message
Reject the message - the sender used domain "[mydomain]" doesn't exist.
Informational message
Another relay try was rejected
Another informational message
Another case where the sender's domain wasn't specified.
Still another attempt to relay through your MTA
Another informational message.
Bottom line - a spammer who has From: as "scanner.reports@[mydomain]"
has tried to send spam through your MTA. It was rejected, as is should
have been, for a variety of reasons - all valid.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
- Posted by John Freeman on March 20th, 2006
Jerry Stuckle wrote:
Thanks Jerry,
It's the only relay attempt that uses the BT argument and it's
remarkably persistent.
Odd that "scanner.reports@bt.com" as a search query turns up almost
nowhere else anywhere out there on the 'Net.
And there's no indication in the log about whence the attempt
originated, apart from 213.1.119.186.imsnet3.btopenworld.com, which I
think according to RIPE is BT themselves.
Oh well .. I'll leave sendmail to do it's stuff.
Thanks again.
- Posted by Jerry Stuckle on March 20th, 2006
John Freeman wrote:
John,
It's probably a broadband user whose computer has been hijacked.
There's also the off-chance the user himself could be a spammer, but
that would be the ultimate in stupidity.
Of course, no one said spammers were smart.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
- Posted by John Freeman on March 20th, 2006
Jerry Stuckle wrote:
This was included in BT's automated reply:
"9. BT port scan
To help protect our users and the network BT periodically carries out
port scanning activity. We do this to detect and contact customers with
open servers. Using open servers is a breach of the BT Terms &
Conditions / Acceptable Use Policies. For more details, please go to
http://www.abuse-guidance.com"
nothing more about port-scanning at that link address, just a series of
cautions that no-one is allowed to use them, (apart from BT of course"
I think they're testing the MTA on 25.
So that would explain that.
- Posted by Jerry Stuckle on March 21st, 2006
John Freeman wrote:
Ah, ok, that sounds good. I wish more ISP's would look for open relays.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
